IAM Roles

The following diagram illustrates how IAM roles control access to your HDCLoud AWS resources:

IAM roles are created automatically upon launching the cloud controller and creating a cluster. The main
principle behind designing these roles was to enhance security by providing a minimal set of actions (or capabilities) required for each role.

CloudbreakRole

The CloudbreakRole, associated with the EC2 instance of the cloud controller, is used by the cloud controller
to access resources when creating clusters.

An instance profile (which is a a container for an IAM role that you can use to pass role information to an EC2
instance when the instance starts) is created for the role and then passed to the cloud controller UI to enable advanced
features (such as autocomplete) available in the web UI. This allows the EC2 instance to call AWS services on your behalf.

CredentialRole

This is an AWS cross-account access role that provides the capabilities required for cluster creation. This role also
grants permission for creating additional roles (S3AccessRole and LambdaExecutionRole).

LambdaExecutionRole

If during deployment you choose to launch the cloud controller instance inside an existing VPC, then the LambdaExecutionRole
role will be created automatically. This role is used to enable advanced validation for the
VPC and subnet, which is done by implementing and running a Lambda function in a custom AWS resource.
If this validation fails, then the custom resource creation and the overall stack creation process will be marked as CREATE_FAILED.

S3AccessRole

During cluster creation, you have an option under SECURITY > Instance Role to create
this new AWS role to grant S3 access, or to select an existing role to provide S3 access, or not use any
S3 role at all if you are not planning to use S3. If you choose the first option, the S3AccessRole will be created for you.